Introduction
The hacking group Slow Pisces [6] [8], affiliated with the North Korean regime, has been actively targeting cryptocurrency developers through sophisticated social engineering tactics. This campaign, primarily conducted on LinkedIn, involves posing as recruiters to lure victims into downloading malicious code. The group’s activities highlight the growing threat of state-sponsored cyberattacks in the cryptocurrency sector.
Description
North Korean hackers [3] [4] [6] [8], specifically the hacking group Slow Pisces—also known as Jade Sleet, TraderTraitor [2] [4] [7] [8], and PUKCHONG—affiliated with the regime, have initiated a malicious campaign targeting cryptocurrency developers on LinkedIn through social engineering tactics [6]. Posing as recruiters [5] [6] [7] [8], these state-sponsored threat actors first contact potential victims with benign PDF files containing fake job descriptions. If the targets engage [7], they are directed to GitHub repositories that host malicious coding challenges [7]. These repositories [3] [6] [7], while appearing legitimate and often based on actual open-source projects [7], contain hidden malicious components that connect to the attackers’ command-and-control (C2) servers [7].
The malicious code embedded within these repositories utilizes techniques such as YAML deserialization and EJS escapeFunction to evade detection. The malware, identified as RN Loader and RN Stealer [1] [2] [6] [8], infects the developer’s system when they attempt to run the compromised project [1]. RN Loader collects basic system information [8], while RN Stealer targets sensitive data [8], including usernames and installed applications [8], particularly from macOS systems [8]. The attack process unfolds in several stages: the initial PDF lure [1], the GitHub repositories with malicious code [1] [3], and the C2 server that delivers the final payload [1]. The group employs a targeted approach [1], confirming the target’s location and system details to evade detection [8], sending malicious payloads only to validated targets based on factors such as IP address and geolocation [1].
In 2023, Slow Pisces reportedly stole over $1 billion USD from the cryptocurrency sector through various methods [2] [3], including fake trading applications and malware distributed via the Node Package Manager (NPM) [2]. They utilize Python and JavaScript repositories to covertly distribute infostealer malware [3], mixing legitimate repositories with malicious ones to carry out their attacks [3]. Notably, on February 21, 2024, the group executed a significant heist, stealing nearly $1.5 billion from Bybit [4], the world’s second-largest cryptocurrency exchange [4]. This incident underscores their focus on targeting cryptocurrency platforms and developers, employing sophisticated techniques such as spear-phishing to infiltrate Web3 firms [4].
Recent research has identified 50 North Korean recruiter profiles on LinkedIn linked to TraderTraitor [4], highlighting their strategic approach to engaging with individuals in the cryptocurrency industry [4]. In response to these threats, both LinkedIn and GitHub have removed the malicious accounts associated with this group for violating their terms of service [8]. Threat intelligence has been shared with analysts at GitHub and LinkedIn to address the relevant accounts and repositories [2], underscoring the need for increased awareness of this evolving threat in the industry. The activities of Slow Pisces highlight the sophisticated tactics employed by state-sponsored threat groups in the cryptocurrency sector [1], combining social engineering with advanced malware techniques [1], including payloads that operate solely in memory to evade detection [3]. Security experts advise developers to be cautious of unsolicited coding challenges and to verify URLs linked in job tests [8].
Conclusion
The activities of Slow Pisces underscore the significant threat posed by state-sponsored cyberattacks on the cryptocurrency industry. The group’s sophisticated use of social engineering and advanced malware techniques highlights the need for heightened vigilance and robust cybersecurity measures. As these threats continue to evolve, it is crucial for industry stakeholders to collaborate on intelligence sharing and to implement proactive strategies to mitigate potential risks. Developers and firms must remain cautious of unsolicited communications and verify the authenticity of job offers and coding challenges to protect against such malicious campaigns.
References
[1] https://securityonline.info/slow-pisces-targets-crypto-developers-with-deceptive-coding-challenges/
[2] https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
[3] https://thenimblenerd.com/article/python-repositories-infested-malware-heist-hits-crypto-developers/
[4] https://www.wired.com/story/tradertraitor-north-korea-crypto-theft/
[5] https://gbhackers.com/slow-pisces-group-targets-developers/
[6] https://www.infosecurity-magazine.com/news/north-korea-hackers-linkedin/
[7] https://cyberpress.org/slow-pisces-malicious-python/
[8] https://www.wizcase.com/news/slow-pisces-developer-job-scam/
